Regulation in the 21st Century: From Prescription to Collaborative Supervision

1
Regulation in the 21st CenturyFrom Prescription
to Collaborative Supervision

• Priscilla Rabb Ayres
• Global Regulatory Executive, Financial Services
  Sector
• IBM
• 10th XBRL International Conference, November 16,
  2004
• rabbayres_at_us.ibm.com

2
Agenda

• Regulation in the Information Age Background
• What is new about regulation in the 21st century?
• Drivers for change
• The new regulatory paradigm Risk-Based
  Supervision
• Financial Services Sector
• Sector specific drivers for change
• Illustrative initiatives
• Basel II
• IMF/WB Financial Sector Assessment Program
• Sarbanes Oxley
• The role of Extensible Business Reporting
  Language (XBRL)
• Thoughts on successful navigation of the
  regulatory paradigm

3
The Industrial Age approach to regulation is out
of step in the Information Age

• Traditional regulatory regimes are characterized
  by static focus
• highly prescriptive and rules-based
• Compliance is siloed and risks stand alone
• Compliance functions typically low level and
  dispersed throughout organizations
• Regulation viewed as exclusively the concern of
  the government
• Focus on discrete violations and correction of
  those violations
• Shortcomings for application in the 21st century
• Inflexible and unable to keep up with rapid
  change
• May not capture risk appropriately
• Dependencies not adequately assessed
• Can encourage gaming the system (e.g. Enron)
• Highly labor intensive and slow
• Traditional system failed to recognize early
  warning indicators for the Enron, WorldCom,
  Parmalat, BCCI, Barings Bank, Vivendi, etc.

4
Key drivers for regulatory change have roots in
globalization, deregulation, and consolidation,
powered by technological advances

• The global economy has become a reality
• Interdependence of global markets exacerbates
  contagion risk
• Deregulation fosters freer play of competitive
  forces
• Multinational companies are challenging legal and
  regulatory jurisdictional boundaries
• Industry consolidation raises unprecedented
  levels of risk
• Concentration of systemic risk in fewer companies
• Technology rapidly changing products, processes,
  and capabilities business becoming increasingly
  complex
• Critical infrastructure protection
• Heightened security and privacy concerns for data
  and people
• Threat of international terrorism

5
These drivers are forcing a sea change in
regulatory focus, approach, and implementation

• Must be proactive and anticipate vulnerabilities
• Regulations have global impact
• Jurisdictional sovereignty must be rethought
• Legal and cultural clashes are inevitable and
  must be reconciled
• Innovation and complexity rule in successful
  markets
• Regulators challenged to meet fiscal and skills
  requirements
• Reward innovation while mitigating risks
• Risks evolve and transform constantly
• Identification and appreciation of risk must be
  proactive
• Metrics must remain meaningful
• Collaboration and communication among regulators,
  regulated entities, and third party service
  providers critical
• Terrorism risks are relatively new,
  unpredictable, and harmful
• Individual privacy and security is challenged by
  technological advances and justifiable
  need-to-know national security measures

6
Risk based supervision (RBS) accommodates change
and complexity and is being broadly adopted

• Looks to the future -- aim is to prevent crises
• Supervision of systemic risk by industry, firm,
  and customer base
• The common thread is reliance on sound risk and
  compliance protocols and business performance
  management
• Focus on corporate governance and senior
  management accountability
• Standards-based measurement of risk exposure and
  dependencies
• Enhanced collaboration between regulators and
  regulated
• Supervisory tools and intensity linked to areas
  of risk and concern

7
This regulatory paradigm is characterized by
flexibility, collaboration, technology, use of
global standards but with tougher standards and
aggressive enforcement

• Adoption of RBS model evident in most regulated
  industries
• Increased reliance on global standards
  organizations and on development of appropriate
  global standards
• Aggressive efforts to harmonize regulatory bodies
  globally
• Greater leverage of technology by regulators to
  intensify impact of supervision and lower costs
• Greater scrutiny of technology providers and the
  use of technology for compliance
• Focus on high priority systemic risks and
  organizations
• Severe penalties for non-compliance
  The stakes have never been so high

8
The RBS model suits all regulated industries but
implementation is swiftest in the financial
services sector

• Recent corporate scandals and economic crises
  have forced urgent action to restore stability
  and confidence in financial markets
• The impact and repercussions of 9/11 redoubled
  the effort
• The IMF and BIS have established frameworks that
  have evolved to respond to the emerging
  challenges
• Communication within the sector time-honored
• Financial service regulatory bodies have shared
  interests and have been pursuing like paths for
  years
• Early adopters, such as the UK Financial Services
  Authority, provide experience and validation
• RATE (Risk Assessment, Tools of Supervision,
  Evaluation) adopted in 1997
• Introduces consistency and use of best practices
  in bank supervision
• Focuses supervisory efforts on banks with highest
  risk profile

9
The financial services industry has experienced
dramatic changes in recent years and the pace of
change continues

• Systemic importance of a small number of large
  transnational financial conglomerates
• Significance of non-bank financial institutions
  such as investment banks and hedge funds has
  risen, complicating market surveillance
• Stronger role of government sponsored enterprises
  (GSEs)
• Unprecedented convergence has blurred traditional
  boundaries
• Between financial institutions and capital
  markets
• Among different types of financial institutions
• Among different national jurisdictions
• Technology is both a major agent of change and
  focus of risk management
• Prevalence of outsourcing of financial services
  to non-financial non regulated -- entities
  growing rapidly Management of risk and
  compliance is paramount

10
Regulators are refining their approach to better
address key areas of systemic impact

• Standards applied to largest financial
  institutions calibrated to reflect their systemic
  relevance
• Capital targeted to achieve greater ability to
  absorb shocks capital cushion over regulatory
  thresholds
• Internal risk management regime -- for credit and
  market, operational, and compliance risk needs
  to meet higher standard
• More demanding requirements for technology system
  operational resilience
• Upgrade of regulatory and internal risk
  management framework for government sponsored
  entities (GSEs) to reflect higher risk profiles
  and systemic risk potential
• Enhanced focus on institutions that make up the
  core of our payments systems
• Operational resilience
• Updated standards for risk management and
  internal financial resources
• Strengthen oversight framework Source
  Timothy Geithner, President and CEO, Federal
  Reserve Bank of NY. Changes in the structure of
  the US financial system and implications for
  systemic risk, October, 2004

11
and to incorporate supervision of emerging
practices and capabilities

• Strong focus on outsourcing of financial services
• FFIEC updated handbook, Outsourcing Technology
  Services
• BIS Joint Forums consultative paper,
  Outsourcing in Financial Services
• Increased attention to the rise and risks of
  offshoring
• Expanded supervision of technology service
  providers
• FDIC handbook on technology service providers
• Example of expansion into non-regulated
  industries that increasingly impact business
  processes of regulated ones
• Collaborative outreach among regulators
• BIS Joint Forum
• PCAOB and Eighth Company Law Directive
• SEC and CESR announcement of May 26 for greater
  collaboration between SEC and EU securities
  regulatorsSupervision and compliance continue
  to get increasingly complex

12
The number of regulations impacting financial
institutions are increasing, but there are
common themes that cross jurisdictional boundaries

• Capital adequacy
• Senior management oversight and accountability
• Anti Money Laundering
• Identity theft and fraud
• Privacy and security
• Critical infrastructure protection -- resiliency
• Outsourcing of financial services
• Harmonization of accounting principlesAll deal
  with systemic risk and management of that risk

13
Critical tools and processes that facilitate
internal risk and compliance efforts and external
supervision are evolving

• Enterprise risk management and compliance
  solutions
• Enhance senior management control of operations
• Provide transparency and auditability
• Enhance confidence of regulators and the public
• Increasing reliance on global standards
  organizations that provide industry specific
  metrics to manage toward
• Stress-testing and scenario methodologies
• Outreach by regulatory authorities to harmonize
  regulations globally and coordinate supervision
• Use of emerging technologies -- notably XBRL
• Global regulatory reporting
• Regulator to regulator communication
• Enterprise internal risk and compliance.

14
risk management being the underlying imperative

• "Indeed, better risk management may be the only
  truly necessary element of success in banking."
  Alan Greenspan, Federal Reserve Chairman
  reportedly commenting on better management of
  banking risk and new rules on capital being the
  key to a stronger banking system contributing
  more to economic growth.

15
Three major programs dominate the sector and will
help mold the future of financial services
regulation

• Basel II
• Devised to improve the soundness of the financial
  system by aligning the regulatory capital
  requirement to underlying risks
• Banks encouraged to conduct better risk
  management and enhance market discipline
• Sarbanes-Oxley (SOX)
• Addresses the accounting vulnerabilities exposed
  in recent corporate and financial scandals
• Motivated by the need to restore confidence in
  capital markets
• World Bank/IMF Financial Sector Assessment
  Program (FSAP)
• Mission Achieve a diversified competitive global
  financial services sector to promote sustained
  economic development and poverty reduction
• Objectives Alert national authorities to
  vulnerabilities in their financial sectors,
  internal and external, and assist in design of
  measures to reduce those vulnerabilities
• Assessments are voluntary and are conducted by
  the IMF and WB, supported by national agencies,
  central banks, and standards-setting bodies

16
Basel II is arguably the dominant force in the
transformation of global financial regulation.

• Precipitated by recognition of the critical role
  played by operational risk
• And incorporates latest technology for managing
  risk
• Regulatory/supervisory collaboration and global
  reach Basel Committee on Banking Supervision a
  venerable body
• Industry input is valued in development of
  implementation guidelines
• Pillar II addresses the supervisory review
  process
• Reliance on robust internal control processes
• Management oversight and accountability
• Cross jurisdictional supervisory coordination
  mandatory for effective implementation for a
  global bank
• Approximately 9,400 supervisors worldwide will
  need training

17
.and its impact extends well beyond the Basel II
countries and institutions

• Global impact and influence
• More than 100 countries, including over 88
  non-BCBS, are expected to implement Basel II by
  2009
• Reputational risk and competitiveness
• Largely driven by local offices of foreign banks
• Its principles and approaches are incorporated
  in the IMF/WB FSAP
• Epitomizes the imperatives of proactive risk
  identification and mitigation supported by
  validated standards and management accountability
  
• SEC has outlined a risk-based capital framework
  based on Basel II to provide consolidated
  supervision of major investment banks-- and the
  Counsel of European Securities Regulators (CESR)
  is not far behind

18
Sarbanes Oxley has captured the attention of
public companies, the accounting profession,
regulators, and third party service providers

• Precipitated by corporate scandals and impact on
  confidence in global financial markets
• The implementation timetable is aggressive
• Senior manager accountability in spades!
• Focus on accounting profession and internal
  auditing
• Auditability, including e-mail and RM, archiving
  capabilities
• Impact on non-us based companies is real and
  immediate
• Costly compliance can be balanced by positive
  transformation of business processes
• Enronitis not a US-only vulnerabilityDespite
  the pain of compliance, few argue with the benefit

19
The impact of SOX extends well beyond US borders
like it or not!

• What does Sarbanes-Oxley mean? Thats when
  two members of U.S. Congress fiddle and half a
  million accountants in Europe start dancing.
  Quote attributed to the spokesman of a
  leading European industry group Klaus C.
  Engelen, Preventing European EnronitisThe
  International Economy, Summer 2004

20
The Public Company Accounting Oversight Boards
scope illustrates challenges raised by emerging
regulations

• Changes in US capital market laws impact and in
  some cases conflict with -- laws, regulations
  and corporate governance systems of EU member
  states
• Requires EU audit firms to register with the
  PCAOB
• Subjects all major EU audit firms to double
  oversight
• US access to foreign firms audit papers violates
  EU member states laws and/or professional
  standards that require strict confidentiality
  
• Collaborative outreach underway to minimize the
  extraterritorial shock
• EUs new Corporate Governance Action Plan (May
  2003)
• Eighth Company Law Directive Will clarify the
  duties of statutory auditors
• PCAOB negotiating with the EU Commission to
  cooperate on oversight structures for EU audit
  firms to harmonize SOX and EU requirements
• SEC and the Committee of European Securities
  Regulators (CESR) formally announced greater
  collaboration on May 26, 2004

21
FSAP is an excellent example of the new
regulatory paradigm with one major difference

• Global scope and context Covers all IMF member
  countries
• Purpose is to avoid crises through vulnerability
  identification and mitigation
• Focus on systemic risk prioritized by potential
  for adverse impact
• Relies on established global standards that are
  applied according to basic nature of the economy
• Collaboration between regulatory, political,
  industry, and private sector authorities/experts
• Uses increasingly sophisticated methodologies and
  technologies to assess and mitigate risk
• IMF and WB technical assistance support
  corrective follow-up
• But FSAP is voluntary and virtually
  penalty-free

22
The FSAP is a comprehensive diagnostic framework
aimed at crisis prevention and mitigation

• It is the preferred tool for strengthening IMF
  surveillance and Bank development work in the
  financial sector
• Approach developed and refined through
  cooperative efforts of all FSAP stakeholders to
  achieve best practices
• Identifies financial system strengths,
  vulnerabilities, and risks
• Engages all stakeholders public and private
• Assesses observance and implementation of
  relevant international standards, codes, and best
  practices (ROSCs)
• Analyzes overall financial stability within
  macroeconomic context
• Provides recommendations for improvement and
  rectification
• Identifies and prioritizes development and
  technical assistance needs
• Leverages peer review and positive reinforcement
  no enforcement per se

23
Basel II, SOX, and FSAP represent the goals,
promise -- and challenges of regulation in the
21st century

• Excellent examples of RBS for the innovation
  economy
• Principles of sound risk mitigation
  infrastructures, senior management
  accountability, auditability, and collaboration
  resonate
• Defined interdependent roles for stakeholders --
  all must work together to a shared goal
• Appreciation for threat of systemic risk and
  value of crisis avoidance
• Adaptable approach to encourage growth and
  innovation, but serious penalties for
  non-compliance
• Challenges
• Global impact, if not direct global scope
• Harmonization of political, cultural, geographic,
  and language differences
• Variations in sophistication and resiliency of
  economies and local institutions
• Jurisdictional overlap and complexities
• Risk exposures and profiles constantly changing

24
and XBRL is ideally suited to help stakeholders
achieve the promise of those shared goals

• XBRL is poised to Web-enable business reporting
  and is the emerging standard for regulatory
  reporting
• Transparency
• Common language
• Royalty free open specification that uses XML
  data tags to describe financial information and
  add context to content
• Provides automated and more reliable exchange of
  regulatory and financial information across all
  software formats and technologies
• Information reusability and analysis enhanced
  information available electronically for multiple
  purposes and reports
• Cycle time significantly reduced and human error
  minimized
• Rekeying and reformatting of data eliminated
• Data for customized reports easily identified
• Reports more current
• Global regulatory adoption on the rise
• UK Inland Revenue
• FDIC Call Report Modernization Project
• SEC
• National Tax Agency of Japan (Kokuzeicho)

25
XBRL powers and empowers Risk Based Supervision

• Provides common format for growing volumes of
  complex business information regulators must
  manage
• Tagged data affords depth of information and
  context easily analyzed and benchmarked
• Timely data access that enhances collaboration
  between regulators and regulated entities as
  well as other regulators
• Internal savings in time and money affords focus
  on greatest systemic risks
• Improved filing accuracy
• Promotes consistency and comparability among
  various regulatory reports and adaptability to
  new requirements
• Companies can use same basic data for numerous
  internal and external reports providing
  consistency at significantly lower costs
• Enterprise risk and compliance frameworks for
  transnational conglomerates significantly
  improved

26
Successful navigation of the new global
regulatory streams requires constructive
proactive engagement

• Accept the reality of change, complexity, and
  uncertainty
• All stakeholders must engage actively and
  proactively in the process
• Regulator relationship management know your
  regulators and let them get to know you
• Integrate risk management, compliance awareness,
  and accountability into your core business
  operations
• Develop internal governance processes that are
  robust, transparent, and well-documented
• Facilitate auditability if not documented, it
  hasnt been done
• Carefully weigh balance between global standards
  and local compliance requirements
• Leverage industry groups and important
  influencers
• Encourage more robust collaboration between
  regulators, regulated industries, and technology
  service providers

27
Most of all, embrace change and leverage the
value of XBRL!

• Thank you!